Skip to main content
Version: 5.7.x.x Java 8 ELS

Server configuration

nevisProxy server properties are configured via the four tags Service, Core, Timer, and Server. The Qos tag defines some frequently used attributes of Apache's quality of the service module mod_qos. By setting the Qos tag parameters, you enable a basic protection against denial of service (DoS) attacks. The Qos tag is optional.

Service

The attributes in the following table are only relevant for integration purposes and are mainly documented here as a reference. If nevisProxy is installed using the delivered package, none of these parameters need to be changed. The Service section does not contain any operation-relevant parameters (e.g., scaling).

NameType, Usage constraints, DefaultsDescription
commandLinestring optional, advanced, supports variable replacementThe attribute 'commandLine' configures the command line arguments that will be used for starting the server. Example: commandLine="-X" starts the Apache server in debug mode. With the commandline argument NAVAJOgroup=<group-name> the group of the initial process can be configured. If configured, a 'setgid(..) call will be made. If an error occurs, an error message will be traced on 'stderr' but without terminating the process.
hostTemplatestring required, advanced, supports variable replacement, default:/opt/nevisproxy/etc/host2.templateThe attribute 'hostTemplate' specifies the path to the template file used for creating the host part of the generated Apache configuration file (httpd.conf). It is not recommended to change this setting.
namestring optional, advanced, supports variable replacement default: isi3webThe attribute 'name' is a logical name. It is reserved for future use (e.g., running several services in one carrier server). This value should not be changed.
spoolDirstring required, advanced, supports variable replacement default: <spool_dir>The path of the spooldir, i.e., the directory that contains the directory 'logs' for log files and 'run' for runtime data. This value should not be changed (must not be an NFS-mounted directory).
serverTemplatestring required, advanced, supports variable replacement default: /opt/nevisproxy/etc/server2.templateThe attribute 'serverTemplate' specifies the path to the template file used to create the server part of the generated Apache 2 configuration file. Should not be changed. (Changing that file is a way of including additional Apache1/2 modules. However, that should not be necessary. Contact Nevis if you think you need additional modules.)
verboseboolean: true, false optional, troubleshooting default: falseThe attribute 'verbose' specifies server verbosity. If set to 'true', the message of all caught exceptions is sent to the client. Should be set to 'false' in production.
crashRecoveryStrategyenum: recover, block; default: recoverSpecifies what should happen after a worker crash. By default, the child process is recovered by the parent process. If block is configured, after a worker crash every request will be blocked by 503 Service Unavailable status code. This feature can be useful for liveness test in kubernetes setups, so the given pod can be terminated normally in case of a crash. Note for testing: with the strategy block, the blocking takes place only if at least one request is in processing when the crash occurs.

Core

The attributes in the following table are only relevant for integration purposes and are mainly documented here for reference. If nevisProxy is installed using the delivered package, none of these parameters needs to be changed. The Core section does not contain any operation-relevant parameters.

Deprecated

The runtime model and the memory type used (depending on whether Apache1 or Apache2 is used) in the Core configuration tag are deprecated.

NameType, Usage constraints, DefaultDescription
memoryProtectionboolean: true, false, optional, advanced, default: trueThe attribute memoryProtection configures memory protection. After initialization and loading of all web applications, the container memory is write protected. This is possible only if memory type is set to ’shared’. Use of memory protection is recommended for the following reasons: The server can be restarted and current session context (authenticated users) is kept. Vendor code, that violates memory, is likely to not being able to corrupt nevisProxy runtime structures and user session context. Must not be changed.
memorySizeinteger [bytes]required, advanced, supports variable replacement default: 10’000’000The attribute memorySize specifies the amount of memory to be allocated. This memory is used to store the nevisProxy’s runtime structures. Memory requirements depend mainly on the size and number of the web applications to be loaded. The used memory, i.e. shared or heap, is configured in the Core element. (After booting the service, a log entry shows used and available memory. This information can be used for optimizing the configuration.) This parameter has to be increased if starting of nevisProxy failed due to out of memory errors. The default of 10 MB is about 10 times higher than a usual reverse proxy setup requires. See also "Appendix G - Sizing Parameters in the Nevis Proxy".
memoryTypeenumeration: heap, sharedoptional, advanced, default: sharedThe attribute memoryType is used to configure the memory model used. Can be changed for performance reasons.
memoryAnonomousboolean, default: trueThe attribute memoryAnonymous configures memory mapping. If set to ’false’, the shared memory will be mapped to a file <workDir>/shared_map_XXXXXX. Otherwise it will be mapped anonymously.
workDirstringrequired, advanced, supports variable replacement, default: <spool_dir>/runThe attribute workDir configures the directory for the internal files. Should not be changed (may not be an NFS-mounted directory).

Timer

Timers are used to trigger asynchronous functions like the periodic check of the session cache for expired sessions.

NameType, Usage constraints, DefaultDescription
periodicityinteger [sec]optional, advanced, supports variable replacement, default: 60The attribute periodicity configures the periodicity of the internal timer for releasing unused resources. A session with an absolute timeout of 2 hours would therefore have a real maximum lifetime of 2 hours and 60 seconds, in this case. Setting the value to a lower number, in turn, leads to more load.

Server

The Server configuration tag contains the values that are used for the server part of the generated Apache configuration. The next table describes the relevant attributes. Note that all these attributes support variable replacement.

All listed parameters are directives of the Apache carrier server. They are documented in the corresponding Apache documentation: official Apache documentation.

NameType, Usage constraints, DefaultDescription
DocumentRootstring required, advanced default: @PKG_VAR@/@PKG_INSTANCE@/htdocsDeprecated The DocumentRoot parameter is deprecated. The attribute DocumentRoot configures the document directory for the Apache web server. It can be accessed from outside with a browser, the directory should therefore be empty. Should not be changed.
Userstring required, advanced default: @PROXY_RT_USER@The attribute User configures the owner of the running nevisProxy process. Should not be changed, as changes may lead to permission problems. If you set this attribute yourself, make sure that the ownership of the configuration, log files, and access to the binaries are set accordingly.
Groupstring required, advanced default: @PROXY_RT_GROUP@The attribute Group configures the process group of the current nevisProxy process. Should not be changed, as changes may lead to permission problems. If you set this attribute yourself, make sure that the ownership of the configuration, log files, and access to the binaries are set accordingly.
KeepAliveenum: on, off optional, advanced default: onThe attribute KeepAlive configures the HTTP keepalive behavior of the frontend connectors of nevisProxy. If set to "on", it enables HTTP persistent connections. The thread or process remains bound to the client and cannot be used by others during the time period defined by the attribute KeepAliveTimeout.
KeepAliveTimeoutinteger [seconds] optional scaling, advanced default: 5Defines the number of seconds Apache HTTPD will wait for a subsequent request before closing the connection. By adding the postfix ms the timeout can be also set in milliseconds.
MaxKeepAliveRequestsinteger optional, scaling default: 100The attribute MaxKeepAliveRequests limits the number of requests allowed per connection when the attribute KeepAlive is "on". If it is set to "0", an unlimited number of requests is allowed. It is recommended setting a high value for maximum server performance.
MaxClientsinteger optional, scaling default: 600MaxClients is the old name for the attribute MaxRequestWorkers. The attribute limits the number of simultaneous requests that will be served.
MaxRequestsPerChildinteger optional, advanced default: 0 (unlimited)MaxRequestsPerChild is the old name for the MaxConnectionsPerChild attribute. It limits the number of connections that an individual child server process will handle. After MaxRequestsPerChild connections, the child process will die. If the value of the attribute is "0", the process will never expire. Should not be changed.
Timeoutinteger [sec] optional, scaling default: 30Amount of time the server will wait for certain events before failing a request.
LimitRequestLineinteger [byte] optional, security default: 5120Limits the size of the HTTP request line that will be accepted from the client.
LimitRequestBodyinteger [byte] optional, scaling default: 512000The attribute specifies the number of bytes that are allowed in a request body. It restricts the total size of the HTTP request body sent from the client. Allowed are integers from "0" (meaning unlimited) to "2147483647" (2GB).
LimitRequestFieldsinteger [byte] optional, security default: 50Limits the number of HTTP request header fields that will be accepted from the client. Allowed are integers from "0" (meaning unlimited) to "32767".
LimitRequestFieldsizeinteger [byte] optional, security default: 5120Limits the size of the HTTP request header allowed from the client.
LimitRequestParametersinteger optional, security default: 10’000The maximum number of parameters allowed in a request.
Loglevelenum optional, troubleshooting, default: noticeThe Loglevel attribute adjusts the verbosity of the messages recorded in the error logs (see the ErrorLog attribute). The directive Loglevel can be used to configure per-module log levels. Specifying a level without a module name will reset the level for all modules to that level. Specifying a level with a module name will set the level for that module only. An example configuration to configure the removed SSLLogLevel directive might look like this: Loglevel="info ssl:debug". For the available options, see the official Apache documentation.
ErrorLogstring required, advanced default: "&quot;\|@PKG_HOME@/bin/bclogmgr size=1000000 archives=10 @PKG_VAR@/@PKG_INSTANCE@/logs/apache.log&quot;"Location where the server will log errors ("apache.log" by default). In the pkg default configuration, the file rotation of the error log is enabled using the bclogmgr. Note: The character must be escaped in XML using &quot;. Notes about configuring a custom location: The directory containing the logs must exist when starting the instance. The nevisProxy user must be able to read and write in this directory. See its username and group in the <Server> element of the navajo.xml file.
TransferLogstring optional, basic feature, default: "&quot;\|@PKG_HOME@/bin/bclogmgr size=10000000 archives=10 @PKG_VAR@/@PKG_INSTANCE@/logs/access.log&quot;"Specifies the location of the access log file. In the pkg default configuration, the file rotation of the error log is enabled using the bclogmgr. Note: The character must be escaped in XML using &quot;. Notes about configuring a custom location: The directory containing the logs must exist when starting the instance. The nevisProxy user must be able to read and write in this directory. See its username and group in the <Server> element of the navajo.xml file. See also Enabling the Apache transfer log.
CustomLogstring optional, advanced feature, default: "&quot;\|@PKG_HOME@/bin/qslog -f ISBDUkEa -x -u @PROXY_RT_USER@ -o @PKG_VAR@/@PKG_INSTANCE@/logs/stat.log&quot; &quot;%h %>s %b %D %{clID}e %k %{Event}e %{dTr1B}e&quot;"Configures an additional log facility. Note: The character must be escaped in XML using &quot;. Notes about configuring a custom location: The directory containing the logs must exist when starting the instance. The nevisProxy user must be able to read and write in this directory. See its username and group in the <Server> element of the navajo.xml file. See also Using the Apache CustomLog.
LogFormatstring optional, advanced default: "&quot;%h %l %u %t \&quot;%r\&quot; %>s %b %{content-length}i %T \&quot;%{Referer}i\&quot; \&quot;%{User-Agent}i\&quot; trID=%{UNIQUE_ID}e&quot;"This attribute specifies the format of the access log file. Note: The character must be escaped in XML using &quot;
ServerAdminstring required, advanced default: [email protected]Deprecated This attribute is deprecated. The attribute ‘ServerAdmin’ configures the mail address of the server administrator and should be changed after installation. As the default Apache error page should never be displayed, this attribute is not really relevant.
ServerNamestring required, basic connectivity default: DNS name of the machineThe attribute ServerName sets the request scheme, hostname and port that the server uses to identify itself. Syntax: `[scheme://]domain-name
ServerRootstring required, advanced default: @PKG_VAR@/@PKG_INSTANCE@The attribute ServerRoot configures the root directory of the Apache web server. Should not be changed.
ServerSignatureenum: On, Off, EMail optional default: OffConfigures the Apache directive "ServerSignature". Usually this should not be changed.
ServerTokensenum: Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full optional, advanced default: ProdThis attribute controls whether the Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules. Possible values:
  • ServerTokens Full: Server sends (e.g.): Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2
  • ServerTokens Prod[uctOnly]: Server sends (e.g.): Server: Apache
  • ServerTokens Major: Server sends (e.g.): Server: Apache/2
  • ServerTokens Minor: Server sends (e.g.): Server: Apache/2.4
  • ServerTokens Min[imal]: Server sends (e.g.): Server: Apache/2.4.2
  • ServerTokens OS: Server sends (e.g.): Server: Apache/2.4.2 (Unix)
This setting applies to the entire server. It cannot be enabled or disabled on a virtualhost-by-virtualhost basis.
Includestring optional, advanced default: not setUse this attribute to include any additional Apache configuration fragment.
CoreDumpDirectorystring optional, troubleshooting default: not setThe attribute CoreDumpDirectory configures the directory to which the Apache web server writes core files.
UseCanonicalNameenum: On, Off, DNS optional, troubleshooting default: OnConfigures how the server determines its own name and port. For more information, see the official Apache documentation.
ThreadStackSizeinteger optional, scaling default: 1048576Defines the size in bytes of the stack used by threads handling client connection. See also Appendix G - Sizing Parameters in the Nevis Proxy.
HttpProtocolOptionsstring optional, advanced default: not setModifies restrictions on HTTP Request Messages.Syntax: `[Strict
SSLPassPhraseDialogstring optional, advanced default: ‘builtin’The attribute SSLPassPhraseDialog configures the passphrase retriever used by mod_ssl. Only the "builtin" option is supported. For information on how the passwords for password protected keys are fetched, see the description of the bc-properties bc.security.PassPhrasePolicy and bc.security.PassPhraseDialog in the chapter Low-level properties.
SSLSessionCacheTimeoutinteger optional default: 300Defines the number of seconds before an SSL session expires in the Session Cache. This directive sets the timeout in seconds for the information stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption (RFC 5077). It can be set as low as 15 for testing, but should be set to higher values like 300 in real life. If you use an own SSLCache or RemoteSSLCache, the system ignores the SSLSessionCacheTimeout parameter.
SSLSessionCachestring , optional , default: shmcb:@PKG_VAR@/@PKG_INSTANCE@/run/apache_shmcb"This attribute defines the TLS session cache. The following value options are available: "None" This setting disables the global/inter-process TLS session cache. It will incur a noticeable speed penalty and may cause problems if using certain browsers, particularly if client certificates are enabled. We do not recommend this setting. "Nonenotnull" This setting disables any global/inter-process TLS session cache. However, the setting does force OpenSSL to send a non-null session ID, to accommodate buggy clients that require one. "shmcb:/path/to/datafile[(size) This setting makes use of a high-performance cyclic buffer (approx. (size) bytes in size) inside a shared memory segment in RAM (established via/path/to/datafile*), to synchronize the local OpenSSL memory caches of the server processes. The default parameter of SSLSessionCache refers to the generated xml’s content. Removing the parameter sets the SSLSessionCache to none.